Reimagining the SOC: A Lesson From the Military on 9/11
To sustain the fight against a decentralized global enemy in cyberspace, the modern SOC must engage in a change management experiment to become more agile.
MITRE Adversarial Tactics, Techniques and Common Knowledge (MITRE ATT&CK) is a model and knowledge base of adversary behavior. Designed to look at attacks from the attacker’s perspective, it catalogs the attack lifecycle of different adversaries and the platforms they choose to target, all based on real-world observations.
ATT&CK is not a static framework and is updated with new adversaries, tactics, techniques, and other information supplied by security vendors and organizations around the world. Since its public release, MITRE ATT&CK has become a gold standard in the endpoint security space.
MITRE ATT&CK helps defenders understand security from the eyes of the adversary. It provides a unique perspective to design better security programs, tools, and processes. The framework also serves as a common language and shared repository for security professionals to continuously provide feedback and inputs to improve security.
MITRE ATT&CK can improve efficiency by empowering analysts of all levels to understand what is happening during an attack and what will happen next. It breaks the attack down into 14 tactics with associated techniques that are most commonly used by attackers.
From reconnaissance to gaining initial access, to persistence, and finally, exfiltration and impact, the MITRE ATT&CK Framework walks you through step by step how an attack unfolds.
Download your 2-page datasheet on How to Leverage the MITRE ATT&CK Framework to Improve Security.
Identify what inputs are available to you. Consider incorporating threat intelligence into your security processes, consider indicators of compromise, look at behavior indicators, and leverage data mining from your own resources like Splunk and Hadoop to power your security process improvement.
Take the time to create an Adversary Emulation Plan (AEP). The AEP will guide your security team in safely testing itself against the latest threats while also identifying opportunities for security improvements. AEPs are composed of several sections, including an overview of the plan, an overview of the adversary group, a detailed listing of the emulation phases, and a biography of sources.
When running the attack simulation, your red team must ensure their exercises simulate the actual attack resources the adversary uses. This includes resources and activities like an external command and control server, the proper infiltration and exploitation techniques, and the completion of data exfiltration. If your team skips or fails to execute certain steps, you will inevitably miss important activities that take place in an actual attack.
At a minimum, your red team should use adversary emulation plans and tactics, techniques, and procedures (TTPs) for execution and should actively report on the success of their activities. Be sure to document all resources your red team uses and maintain constant communication with them throughout the simulation. If your existing tooling is unable to detect parts of the attack simulation, your team should conduct threat hunting to uncover more aspects of the attack.
Develop a process and technology improvement plan based on the results of the attack simulation and the final report. Incorporate the results of several different adversary group simulations, as changes per simulation can significantly influence technology decisions.
This year, Cybereason achieved the best results in the history of the MITRE ATT&CK evaluations. The evaluation took the technology from 30 participating vendors and pitted it against real-world simulations of two notorious ransomware and data destruction gangs, Wizard Spider and Sandworm. The results speak for themselves.
Cybereason is the XDR company, partnering with Defenders to end attacks at the endpoint, in the cloud, and across the entire enterprise ecosystem. Only the AI-driven Cybereason Defense Platform provides planetary-scale data ingestion, operation-centric MalOp™ detection, and predictive response that is undefeated against modern ransomware and advanced attack techniques. Cybereason is a privately held international company headquartered in Boston with customers in more than 40 countries.
Dan Verton is Director of Content Marketing at Cybereason. Dan has 30 years of experience as a former intelligence officer and journalist. He is the 2003 first-place recipient of the Jesse H. Neal National Business Journalism Award for Best News Reporting – the nation’s highest award for tech trade journalism and is the author of the groundbreaking work, Black Ice: The Invisible Threat of Cyber-Terrorism (McGraw-Hill, 2003). He most recently served as an intelligence advisor and co-author of a nationwide TSA anti-terrorism awareness training program.
All Posts by Dan Verton
To sustain the fight against a decentralized global enemy in cyberspace, the modern SOC must engage in a change management experiment to become more agile.
Cybereason and IBM are launching a joint solution to address the most critical SOC challenges and significantly improve incident response delivery, triage, and remediation processes...